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CCNA Security Lab 6 - Unicast Reverse Path Forwarding - CLI 

Lab 6 


Unicast Reverse Path Forwarding 
Lab Objective: 

The objective of this lab exercise is for you to learn and understand how 
implement Unicast Reverse Path Forwarding in Cisco IOS routers. 

Lab Purpose: 

The Unicast RPF feature helps to mitigate problems that are caused by the 
introduction of malformed or forged (spoofed) IP source addresses into a network 
by discarding IP packets that lack a verifiable IP source address. 

Lab Difficulty: 

This lab has a difficulty rating of 5/10. 

Readiness Assessment: 

When you are ready for your certification exam, you should complete this lab in 
no more than 10 minutes. 

Lab Topology: 

Please use the following topology to complete this lab exercise: 



NOTE: 


The purpose of this lab is to understand the configuration commands. You are not required to test the 
configuration as the complexity is beyond the scope of the CCNA Security. 


Lab 6 Configuration Tasks 
Task 1: 

Configure the hostnames and IP addresses on R1 and R2 as illustrated in the network diagram. 

Configure R2 to send R1 clocking information at a rate of 512Kbps. Ping between R1 and R2 to verify your 
configuration and ensure that the two routers have IP connectivity. 

Task 2: 

Configure uRPF on Rl, while adhering to the following guidelines: 










Deny all traffic sourced from the 127.0.0.0/8 subnet. This traffic should be logged in detail. 

Deny all traffic sourced from any RFC 1918 subnet. This traffic should be logged in detail. 

Permit all other traffic. This traffic should not be logged. 

Use an ACL of your liking, but do not apply the ACL to the interface. 

In addition, configure R1 to allow Telnet access using a password of cisco. Ensure that users that log in 
are automatically assigned Level 15 access without using an enable password. 

Task 3: 

Verify your uRPF configuration by using the appropriate show commands. Keep in mind that the objective 
of this lab is to validate your configuration knowledge. You are not expected to spoof IP addresses to 
test uRPF configuration as this is beyond the scope of this course. 

Lab 6 Configuration and Verification 
Task 1: 

Router(config)#hostname R1 
Rl(config)#int sO/O 

R1 (config-if)# ip add 150.1.1.1 255.255.255.0 

Rl(config-if)#no shutdown 

Rl(config-if)#exit 

Rl(config)#exit 

Rl# 

Router(config)#hostname R2 
R2(config)#int sO/O 
R2(config-if)#clock rate 512000 

R2(co nfig-if)# ip address 150.1.1.2 255.255.255.252 

R2(config-if)#no shutdown 
R2 (co nfig -if)#exit 
R2(config)#exit 
R2# 

R2#ping 150.1.1.1 

Type escape sequence to abort. 

Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds: 

! 1111 

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms 

Task 3: 

Rl(config)#ip cef 

Rl(config)#access-list 111 remark "This is my uRPF ACL" 




Rl(config)#access-list 111 deny ip 127.0.0.0 0.255.255.255 any log-input 
Rl(config)#access-list 111 deny ip 10.0.0.0 0.255.255.255 any log-input 
Rl(config)#access-list 111 deny ip 172.16.0.0 0.15.255.255 any log-input 
Rl(config)#access-list 111 deny ip 192.168.0.0 0.0.255.255 any log-input 
Rl(config)#access-list 111 permit ip any any 
Rl(config)#int s0/0 

Rl(config-if)#ip verify unicast reverse-path 111 

Rl(config-if)#exit 
Rl(config)#line vty 0 4 
Rl(config-line)#password cisco 
Rl(config-line)# login 

Rl(config-line)#privilege level 15 

Rl(config-line)#exit 

Rl(config)#exit 

Rl# 

Task 4: 

The show cef interface [name] command is used to verify if uRPF is configured on an interface: 
Rl#show cef interface serial 0/0 
SerialO/O is up (if_number4) 

Corresponding hwidb fast_if_number 4 

Corresponding hwidb firstsw->if_number 4 

Internet address is 150.1.1.1/24 

ICMP redirects are always sent 

Per packet load-sharing is disabled 

IP unicast RPF check is enabled 

Inbound access list is not set 

Outbound access list is not set 

Interface is marked as point to point interface 

Hardware idb is SerialO/O 

Fast switching type 4, interface type 63 

IP CEF switching enabled 

IP CEF Feature Fast switching turbo vector 

Input fast flags 0x4000, Input fast flags2 0x0, Output fast flags 0x0, Output fast flags2 0x0 
ifindex 2(2) 

Slot 0 Slot unit 0 Unit 0 VC -1 



Transmit limit accumulator 0x0 (0x0) 

IP MTU 1500 
Rl# 

In a production environment, if uRPF is configured, the show ip interfaces [name] command can be used 
to view the packets dropped by the uRPF feature in Cisco IOS software: 

Rl#show ip interface serial 0/0 

Serial0/0 is up, line protocol is up 
Internet address is 150.1.1.1/24 
Broadcast address is 255.255.255.255 
Address determined by setup command 
MTU is 1500 bytes 
Helper address is not set 
Directed broadcast forwarding is disabled 
Outgoing access list is not set 
Inbound access list is not set 

.[Truncated Output]. 

WCCP Redirect outbound is disabled 
WCCP Redirect inbound is disabled 
WCCP Redirect exclude is disabled 

IP verify source reachable-via RX, allow default, ACL 111 
34 verification drops 
31 suppressed verification drops 

Lab 6 Configurations 
Rl Configuration 

Rl#show run 
Building configuration... 

Current configuration : 1116 bytes 
! 

version 12.4 

service timestamps debug datetime msec 
service timestamps log datetime msec 
no service password-encryption 


hostname Rl 





boot-sta rt-ma rke r 


boot-end-ma rker 
! 

logging buffered 4096 
no logging console 
! 

no aaa new-model 
no network-clock-participate slot 1 
no network-clock-participate wic 0 
ip cef 
! 

! 

! 

! 

! 

multilink bundle-name authenticated 
! 

! 

! 

! 

! 

archive 
log config 
hidekeys 

! 

! 

! 

! 

! 

! 

! 

interface FastEthernetO/O 
no ip address 
duplex auto 



speed auto 
! 

interface SerialO/O 
ip address 150.1.1.1 255.255.255.0 
ip verify unicast reverse-path 111 
! 

ip forward-protocoI nd 
! 

! 

ip http server 
no ip http secure-server 
! 

access-list 111 deny ip 127.0.0.0 0.255.255.255 any log-input 
access-list 111 deny ip 10.0.0.0 0.255.255.255 any log-input 
access-list 111 deny ip 172.16.0.0 0.15.255.255 any log-input 
access-list 111 deny ip 192.168.0.0 0.0.255.255 any log-input 
access-list 111 permit ip any any 
access-list 111 remark "This is my uRPF ACL" 

! 

! 

! 

! 

control-plane 

! 

! 

! 

line con 0 
line aux 0 
line vty 0 4 
privilege level 15 
password cisco 
login 
! 
i 


end 



R2 Configuration 


R2#show run 
Building configuration... 

Current configuration : 774 bytes 
! 

version 12.4 

service timestamps debug datetime msec 
service timestamps log datetime msec 
no service password-encryption 
! 

hostname R2 
! 

boot-sta rt-ma rke r 
boot-end-ma rker 
! 

no logging console 
! 

no aaa new-model 
no network-clock-participate slot 1 
no network-clock-participate wic 0 
ip cef 
! 

! 

! 

! 

no ip domain lookup 
! 

multilink bundle-name authenticated 
! 

! 

! 

! 

i 


archive 



log config 
hidekeys 

! 

! 

! 

! 

! 

! 

! 

interface FastEthernetO/O 
no ip address 
duplex auto 
speed auto 
! 

interface SerialO/O 

ip address 150.1.1.2 255.255.255.252 
clock rate 512000 
! 

ip forward-protocoI nd 
! 

! 

ip http server 
ip http authentication local 
no ip http secure-server 
! 

! 

! 

! 

! 

control-plane 

! 

! 

! 

line con 0 


line aux 0 



line vty 0 4 
privilege level 15 
password cisco 
login 
! 

! 

end 
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